I am reviewing our checklist to audit routers - the concentration being on Cisco routers. I have the checklist below and was wondering if I am missing anything. Please let me know if we can add/change/delete anything - thinking if that you were going to audit your organization's router(s) - how would you approach it?

NOTE: My apologies for the formatting I had to quick change the formatting to fit the information here. This checklist is an amalgam of many authors/auditors in our organization.

2. Availability Management
A. Is the router proactively monitored and the network group notified in the event of unavailability?
B. Do software and hardware maintenance contracts exist? If so, are the problem response and resolution time appropriate?
C. Does redundant equipment exist (e.g. hot, warm, cold standby)?
D. Are there availability requirements? If so, are the requirements met?

The TCP small servers are:
Echo: Echoes back whatever you type by using the telnet x.x.x.x echo command.
Chargen: Generates a stream of ASCII data. The command to use is telnet x.x.x.x chargen.
Discard: Throws away whatever you type. The command to use is telnet x.x.x.x discard
Daytime: Returns system date and time, if correct. It is correct if you are running Network Time Protocol (NTP) or have set the date and time manually from the exec level. The command to use is telnet x.x.x.x daytime.

The UDP small servers are:
Echo: Echoes the payload of the datagram you send.
Discard: Silently pitches the datagram you send.
Chargen: Pitches the datagram you send and responds with a 72 character string of ASCII characters terminated with a CR+LF.

To disable TCP and UDP small servers:
Router# no service tcp-small-servers
Router# no service udp-small-servers
To show status of CDP service:
Router&gt; show cdp
To disable CDP:
Router&gt; no cdp
To disable BOOTP service:
Router# no ip bootp server
To disable FINGER service:
Router# no service finger
To show status of HTTP service:
Router# show ip http server status
To disable HTTP service:
Router# no ip http server
To show status of SNMP service:
Router# show snmp

5. Security Management - Audit / Logging
A. Are audit (e.g. syslog) functions enabled?
B. Are logs of appropriate level (e.g. informational) recorded?
C. Are Deny ACLs logged (Parameter 'log' or 'log-input' should be configured at the end of the ACLs to be logged)?
D. Are log entries recorded on a secured management workstation and reviewed by the network group on a regular basis?
E. Are system logs archived on a regular basis?

Notes :
To show status of system logging:
Router# show logging
To show the router ACLs
Router&gt; show access-lists [access-list-number | access-list-name]

6. Change Management
A. Are appropriate change management procedures established?
B. Are change records maintained?
C. Are the changes authorized prior to deployment?
D. Are contingency plans in place prior to implementing changes?
E. Who is authorized to make changes to the router?
F. Are the change management procedures supported by segregation of duties principles?

7. Release Management
A. Are routers running vendor supported software versions?
B. Are routers running software appropriate for the hardware and features required?
C. Are routers maintained with current fixes/patches?
D. Are applied patches/fixes documented?
E. Are patches/fixes applied in a timely manner?
F. Does the network group follow established change management procedures for applying patches/fixes?
G. Are patches/fixes tested and approved before deployment?

Notes:
To show Cisco IOS software version
Router&gt; show version

8. Configuration Management
A. Are backup copies of the router configurations maintained?
B. Are the backup router configurations stored in a secured location?
C. Are router configurations documented?
D. When are router configuration backups performed (e.g. regular basis, post change)?
E. Have the router configurations ever been restored (production or test)?
F. Does the network group follow established change management procedures for applying configuration?
G. Are configurations tested and approved before deployment?

9. Problem Management
A. Are problems tracked and resolved on a timely basis?
B. Does adequate problem investigation and diagnosis procedures exist?
C. Are the members of the network group fully qualified and trained in router management and configuration?
D. Are there escalation paths (e.g. vendor, corporate, etc) for problem resolution?

10. Testing:
A. Test services that are supposed to be permitted.
B. Test services that are supposed to be denied.
C. Test from both the internal network and the external Internet (via ISP connection).

Well that's this checklist on routers (Cisco focused). I look forward to your feedback. I am hoping we have all the technical/administrative areas covered. Also, please note that this is one part of our whole audit of internet services. We also have a separate checklist for wireless networks now as well.

Thank you in advance for your help!

Note: I realized yesterday that I said "Feeback" instead of "Feedback" I could only fix it in the subject line. Sorry about that.

April 1st, 2005, 03:07 AM

aciscorouter

Hey KuiXing-2005, great topic, I'm actually writing a tutorial for hardening routers that I will be submitting in the Tut section soon.

Why not assess whether there is MD5 encryption or access-control for routing updates for peers?
Internal traceroute and some management protocols such as Cisco Works and Tivoli require IP unreachables to be enabled. In this case you may want to allow ICMP unreachables, but to avoid backscatter, you could use "ip icmp rate-limit unreachable" instead.
Do you utilize a sinkhole or null routes for egress traffic that violates RFC1918 or is bogon?

2. Availability Management

I would add authetication or spoof protection on VRRP or HSRP updates.